Get Access Token
This token endpoint complies with the OAuth 2.0 specification and must be used by the client to obtain an access token with client authentication. Note that the request payload must be in urlencoded form format (not JSON).
The VMware Identity Services tenant ID
my-tenantThis is the identifier of the OAuth 2.0 client that was registered in VMware Identity Manager. Only used when a basic Authorization header is not present in the request.
The client secret. Only used when a basic Authorization header is not present in the request.
Optional list of scopes separated by a space and is URL encoded. The scopes must be equivalent or a subset of the scopes defined in the OAuth2.0 client. Scopes that doesn't match any of the scopes defined in the OAuth2.0 client will be ignored. If omitted or empty, the scopes defined in the OAuth2.0 client will be used.
Specifies the callback endpoint in your application that will receive the authorization code. It must match the redirect_uri defined in your OAuth2.0 client registration in VMware Identity Manager. When sending the redirect_uri as a URL parameter it has to be URL encoded. Required only if the grant_type is 'authorization_code'.
Specifies the user's domain. If this parameter is specified, the login screen will skip the domain selection page. This can be used when it is known that a single domain is used or the domain information can be inferred automatically (from the username for example). This is a VMware Identity Manager optional parameter and is not in the OAuth 2.0 specification. Required only if the grant_type is 'password'.
The username, UTF-8 encoded. Required only when grant_type is 'password'.
The password, UTF-8 encoded. Required only when grant_type is 'password'.
Specifies the OAuth grant type the client is making. It must be one of the grant types that are defined in the OAuth2.0 client. VMware Identity Manager supports the following grant types from the OAuth specifications: authorization_code, password, client_credentials, and refresh_token. VMware Identity Manager also supports the grant type urn:ietf:params:oauth:grant-type:jwt-bearer for using JWTs for authorization as described in the JWT Bearer Token Profiles for OAuth 2.0 specifications.
The authorization code received from the authorize request. Required only if the grant_type is 'authorization_code'.
The refresh token, which can be used to obtain new access tokens using the same authorization grant.. Required only if the grant_type is 'refresh_token'.
The assertion being used as an authorization grant.If an assertion is not valid or has expired 'invalid_grant' error code is returned.. Required only if the grant_type is 'urn:ietf:params:oauth:grant-type:jwt-bearer'.
Field is reserved for future use.
Field is reserved for future use.
Oauth 2.0 access token was successfully obtained.
{
"scope": "\"admin openid\"",
"access_token": "\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9xxxxHVcA76zjsGN2w...\"",
"token_type": "\"Bearer\"",
"expires_in": 21599,
"refresh_token": "21599",
"id_token": "string"
}The scope of the access token issued. The value is expressed as a list of space- delimited, case-sensitive strings.
The requested access token. This token can now be used to call VMware Identity Manager APIs. For example, with the 'Bearer' token type, use 'Bearer <this access token value>' as the 'Authorization' header. The access token is a JSON web token (JWT).
The access token type. It provides the client with the information required to successfully utilize the access token to make a protected resource request. For example, the 'Bearer' token type is utilized by simply including the access token string in the request: Authorization: Bearer mF_9.B5f-4.1JqM
The time (in seconds) in which this token expires. If the return value is positive, the access token is going to expire in that many seconds. If the return value is 0, the access token already expired. If the return value is -1, token state could not be determined, since the access token doesn't contain expiration value.
The refresh token associated with the access token, if any. This refresh token can be used to request a refresh for the associated access token.
ID Token value as defined by OpenID Connect 1.0
The error can be any of those: the provided grant type is not supported, the request is missing a required parameter, the provided authorization grant is invalid, the authenticated client is not authorized to use this authorization grant type. The error description will contain 'error' and 'error_description' fields. See the OAuth2.0 spec for further details.
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). Check the 'Authorization' header.